Enterprise to Cloud Security Assessment - A Method using OSSTMM 3.0 Concepts

Ronivon Costa, Carlos Serrão

Abstract

Much has been talked about security, and with the wide spread and adoption of Cloud computing, the talk has followed the buzz and put Cloud Security in the spotlights. Security guides for the Cloud has been published, but we understand that is still missing a practical assessment methodology that would allow organizations to quick understand how the security of their assets are impacted when it is farmed out to Public Clouds. Our contribution to address this problem is a method to isolate the organization’s assets from the environment it is hosted, and compare metrics from the environment only. This method provides the important benefit of allowing the organization to determine how security will be impacted without having to actually migrate its resources.

References

  1. Reuters, 2013, “Amazon wins key cloud security clearance from government”, available online: http://www.reuters.com/article/2013/05/21/us-amazoncloud-idUSBRE94K06S20130521.
  2. European Network and Information Security Agency (ENISA), (2009), “Cloud: Benefits, risks and recommendations for information security”, http://www.enisa.europa.eu/.
  3. Yildiz, M., Abawajy, J., Ercan, T., Bernoth, A., 2009, “A Layered Security Approach for Cloud Computing Infrastructure”, 2009. 10th International Symposium on Pervasive Systems Algorithms, and Networks, IEEE 978-0-7695-3908-9/09, p.763-767.
  4. Herzog, Pete, 2010, “OSSTMM 3 - The Open Source Security Testing Methodology Manual - Contemporary Security Test and Analysis”, Institute for Security and Open Methodologies (ISECOM), (Online). Available at: http://www.isecom.org/mirror/ OSSTMM.3.pdf.
  5. Herzog, Pete, 2011, “Analyzing the Biggest Bank Robbery in History: Lessons in OSSTMM Analysis”, Online Banking Magazine, 2/2011, (Onine). Available at: http://hakin9.org/analyzing-the-biggest-bank-robberyin-history-lessons-in-osstmm-analysis/.
  6. Cloud Security Alliance, 2009, “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1”, (Online). Available at: http://www.cloudsecurityal liance.org/guidance/csaguide.v2.1.pdf.
  7. Cloud Security Alliance, 2011, “Consensus Assessments Initiative”, (Online). Available at: https:// cloudsecurityalliance.org/research/cai.
  8. U.S. Chief Information Officer, 2010, “Proposed Security Assessment and Authorization for U.S. Government Cloud Computing”, (Online). Available at: http://educationnewyork.com/files/Proposed-SecurityAssessment-and-Authorization-for-CloudComputing.pdf.
  9. OWASP, 2012, “Cloud Top 10 Security Risks”, (Online). Available at: https://www.owasp.org/index.php/ Category:OWASP_Cloud_%E2%80%90_10_Project.
  10. Grobauer, B., Walloschek, T., Stöcker, E., 2011. "Understanding Cloud Computing Vulnerabilities". In IEEE Security & Privacy, vol. 9, no. 2, pp. 50-57, March-April 2011, doi:10.1109/MSP.2010.115, (Online). Available at: http://www.computer.org/csdl/ mags/sp/2011/02/msp2011020050-abs.html.
  11. Hiroyuki, S., Shigeaki, T., Atsushi, K., 2011, “Building a Security Aware Cloud by Extending Internal Control to Cloud”, 2011 Tenth International Symposium on Autonomous Decentralized Systems, IEEE 978-0- 7695-4349-9/11, p. 323-326.
  12. CERT, 2011, “2011 CyberSecurityWatch Survey - How Bad Is the Insider Threat?”, Carnegie Mellon University, (Online). Available at: http://www.cert. org/archive/pdf/CyberSecuritySurvey2011Data.pdf.
  13. Cloud Computing Use Cases Group, 2010, “Cloud Computing Use Cases Version 4.0” (Online). Available at: http://cloudusecases.org.
  14. Krutz, R., Vines, R., 2010, Cloud Security: A Comphrehensive Guide to Secure Cloud Computing, Wiley Publishing, Indianápolis.
  15. NIST, 2011, “The NIST Definition of Cloud Computing”, National Institute of Standards and Technology - U.S Department of Commerce, NIST Special Publication 800-145 (Online). Available at: http://csrc.nist.gov/ publications/nistpubs/800-145/SP800-145.pdf.
  16. Wilhelm, T., 2010, Professional Penetration Testing, Elsevier Inc, Burlington.
  17. McClure, S., Scambray, J., Kurtz, G., 1999, Hacking Exposed: Network Security Secrets and Solutions, Oxborne, California.
Download


Paper Citation


in Harvard Style

Costa R. and Serrão C. (2013). Enterprise to Cloud Security Assessment - A Method using OSSTMM 3.0 Concepts . In Proceedings of the International Conference on Knowledge Discovery and Information Retrieval and the International Conference on Knowledge Management and Information Sharing - Volume 1: ISI–BDM, (IC3K 2013) ISBN 978-989-8565-75-4, pages 571-578. DOI: 10.5220/0004666005710578


in Bibtex Style

@conference{isi–bdm13,
author={Ronivon Costa and Carlos Serrão},
title={Enterprise to Cloud Security Assessment - A Method using OSSTMM 3.0 Concepts},
booktitle={Proceedings of the International Conference on Knowledge Discovery and Information Retrieval and the International Conference on Knowledge Management and Information Sharing - Volume 1: ISI–BDM, (IC3K 2013)},
year={2013},
pages={571-578},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004666005710578},
isbn={978-989-8565-75-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Knowledge Discovery and Information Retrieval and the International Conference on Knowledge Management and Information Sharing - Volume 1: ISI–BDM, (IC3K 2013)
TI - Enterprise to Cloud Security Assessment - A Method using OSSTMM 3.0 Concepts
SN - 978-989-8565-75-4
AU - Costa R.
AU - Serrão C.
PY - 2013
SP - 571
EP - 578
DO - 10.5220/0004666005710578